Solved

Account Lockout

Posted on 2011-03-08
7
362 Views
Last Modified: 2012-05-11
I have a few user accounts.  Mine being one of them that keep getting locked out.  I checked the security logs on the system and it is constantly coming from a single machine on the network.  This just started today.  If I turn the machine off then all is well.  If I turn it back on...  well I'm guessing one of the services is using credentials.  The other is a user that is no longer with the company, and who's account has been disabled for quite some time.  Is there a way I can find out what services are using these credentials on the server??  Any guidance would be greatly appreciated.
0
Comment
Question by:Infamous_Q
7 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 35075064
0
 
LVL 3

Expert Comment

by:Rhyseh
ID: 35075145
We had a similar issue some years ago where one of our servers missed an update and got a malware infection. It then proceeded to attempt and brute force its way into our network by repeatedly sending validation requests with random users account names. This cause the accounts to become locked.

We fixed this by patching the server and manually stamping out the infection, however if this is a client machine I would just give it a reimage and get rid of this headache.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35077481
Since you traced it to one computer, you are already half way there. Next you have to check all services.

BTW, what OS is the offending machine running? If Windows 2000 + then go to start\run\ and then type services.msc and press OK. This will start the services applet. In here check the Log On As Column to see if the account that is being locked out is there.

Also, internet explorer might be trying to access a server with the username that is locked out. Check all passwords that are stored on the machine. In XP you can type control userpasswords2 and see all the username/passwords stored. In Win7, open control panel, go to user accounts then click on Manage your credentials. Also, you can use Internet Explorer to delete all history,stored forms passwords etc.

The last thing to check is if there is any program running that might be trying to login to your servers. Open up the Task Manager and see if there is any "dodgy" process. Kill it and try to stop it from starting again, restart the computer and monitor.

It is a slow process to get this sorted but if you follow the correct path, you will get there.

Regards
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Expert Comment

by:sam0x01
ID: 35079267
Any authentication request from that computer could be causing it.

This may come from a service, scheduled task, program that runs in the backgound.

Running schtasks /v on the computer or schtasks /S [computername] /v remotely while the computer is powered on will show the scheduled tasks and the credentials they run under

Running wmic service get displayname,state,startname will show the services, state and username

Running wmic /node:[computername] service get displayname,state,startname remotely will do the same.

If this is a program not runnign as a scheduled task or a service, if it is a desktop, rebuilding it would bethe easiest thing to do.

Otherwise opening each installed program and script on the server will eventually find the one that is causing it.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35083955
Thanks for all of the advice.  I will be working on this issue today to see where the problem is.  I'll post an update as soon as I have something.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35096137
So the services on the system are all running as local or network services, and I just finished running a full scan for virus/spy ware.  Nothing so far. there are also no scheduled tasks on the machine.  To answer an above question this is a server 2003 machine.  However its not running all of the latest updates.  I will update the machine and install the lockout tools and post results.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35117149
I updated the system to the most recent.  And Used the tools.  After finding the reason using the tools I was able to kill the rogue service and fix things.  Thanks Very much for all of your help.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now